Sunday, April 20, 2014
Apple's SSL/TLS bug (22 Feb 2014)
Lastly, there was a lot of discussion yesterday that Apple missed checking the hostname in the certificate. It's true that curl on the OS X command line oddly accepts HTTPS connections to IP addresses when the IP address isn't in the certificate, but I can't find that there's anything more than that and Safari doesn't have that problem.
99% BAD HARDWARE WEEK:
The researchers who discovered Heartbleed said the bug could exist inside hundreds of millions of websites, based on the market share of the open-source software that uses OpenSSL. The number is closer to 500,000, because only a fraction of sites had the vulnerable functionality turned on, according to Netcraft, a cyber-security firm.
ADAM LANGLEY from Google is mysterious person who discovered Heartbleed bug effects in Apple's OSs after it was patched on February 21st.
From the point of view of a browser, Langley has seen many HTTPS sites getting it dreadfully wrong and, from the point of view of a server, he’s part of what is probably the largest HTTPS serving system in the world.